It was just another business day. The accounts payable team was issuing payments to vendors when an email came through instructing them to change a vendor’s bank information. An employee took care of the change and funds were sent as requested—but the vendor never received the funds. It was later discovered the money went to a fraudulent account that was provided via a compromised business email.
Another company had a six-figure check altered and cashed after being stolen from a U.S. Postal Service mailbox. Fraud is hitting businesses hard on a daily basis.
Losses connected to cybercrime complaints hit $12.5 billion in 2023, up $2 billion year-over-year and more than triple the amount recorded in 2019, according to the FBI's Internet Crime Report.
"For businesses, it's not a matter of 'if', but 'when' these days," said Linda Marcum, director of treasury sales enablement at BOK Financial®, adding that companies need to be prepared for the inevitable because, at some point, a fraudster will try to steal data, information or money from you.
5 ways fraudsters attack businesses
- Account takeovers. Fraudsters get unauthorized access to accounts including online personal and corporate banking, wealth management, investment, and brokerage, and take control of the account to use for malicious activities, such as putting user IDs for sale with exposed login information and passwords.
- Check fraud. Stolen checks are "washed" or digitally manipulated to then sell the fake checks or use them to clean out funds from accounts.
- Mule accounts. These accounts allow a fraudster to use your account to transfer money and keep a portion as a kickback.
- Compromised payment cards. Stolen credit card information, such as card number, a name or an expiration date is used to maliciously make unauthorized purchases or sell the information.
- Security breach. Fraudsters gain unauthorized access to confidential data such as customer payment or identity information to use maliciously.
Businesses are still using checks—and they're getting stolen
Putting a check in the mail is not as safe as it used to be. "The U.S. Postal Service continues to raise awareness about the number of items stolen out of the blue mailboxes and postal workers being robbed for their arrow keys which unlock secure lockboxes for specific zip codes," said Scott Edwards, director of fraud risk management at BOK Financial.
He added that there's a low barrier to entry for a fraudster to set up a counterfeit check ring, which makes it a popular crime, noting that it only takes about $400 to buy the equipment and stolen checks sold on fraud forums.
Every time you put a check in the mail, you're potentially providing your banking account information to a criminal—the account name, account number, bank routing number, address and a perfect specimen of an authorized signature.
The Association for Financial Professionals (AFP) annual payments fraud survey found that checks continue to be the most vulnerable method of payment fraud with 65% of the survey respondents reporting having faced this type of attack. That’s largely due to checks being sent by mail and then being stolen along the way. The United States Postal Service saw a 10% increase in this activity since the 2022 survey.
If your business wants to continue using check payments, you need to review all the protection tools available. It's important to know you can't just look to the bank to bail you out if fraudsters manage to clean out thousands from your bank accounts by using counterfeit checks, Marcum said.
“The bank continually adds protections to help detect fraudulent items, but companies also need to continually review how they are protecting themselves,” she said.
At BOK Financial, the fraud team will attempt recovery and ultimately determine if there is a way to recover funds stolen through fraud. If the fraud is caught within 24 hours, there is a much greater potential for recovery, Edwards said, but it is not a guarantee as real-time payments allow criminals to move money as soon as it is received. By the time the bank is informed, the money may already be gone.
Proactive protection necessary
Marcum recommends commercial clients take proactive steps to prevent fraud, including:
- Implement systems such as Positive Pay with payee name verification to add additional layers of protection for check and ACH payments. The service allows payments to be completed only if the amount and recipient have been identified in advance or confirmed by you.
- ACH or check blocks on accounts that companies don't plan to use for transactions.
- Separation of duties to require two approvals on any money movement outside the bank to minimize internal fraud.
- Reconciling accounts daily rather than monthly. Fraud must be caught and reported within a slim 24-hour window if a company hopes to recover stolen funds.
- Develop a training program for your employees to understand the types of fraud and how to identify them.
Business email compromise (BEC) a daily threat
Breaches in business emails continue to be problematic for companies. ACH credits were identified in the AFP survey to be the most vulnerable payment type for BEC fraud (47%) followed by wire transfers (39%) and ACH debits (20%).
The advances in artificial intelligence (AI) are making it harder to tell what's fake versus real. "It used to be fraudulent emails had obvious typos and spelling mistakes and involved a prince in a foreign country," said Edwards. "Now, with AI written communications, it's much more sophisticated, and businesses are having their vendors and ACH payments compromised."
And AI can be used for scam attempts not only over email but also for deep fake voice fraud over the phone and via live chats.
“With AI, one person can do the work of a thousand fraudsters, so the scalability is exponential. They're targeting people overwhelmed with their day-to-day activities and rushing through things without paying attention.”- Scott Edwards, director of fraud risk management at BOK Financial
Both experts agree that investing in ongoing employee education is key. "Train employees on the types of fraud out there and the specific things they need to change in their routine," said Marcum. "If a vendor calls to change where payments are sent, your employees should know how to verify those types of requests."
Tips to protect your company
Marcum recommends businesses have a variety of manual and system controls to help thwart fraudsters.
- Use an alternate form of communication other than email, such as a telephone call, to verify payment and purchase transactions over a pre-set dollar amount.
- Standardize with your customers and business partners how changes in account information will be communicated and validated and know how they validate theirs.
- Beware of sudden changes in business practices or contact information; be especially wary if the requestor is pressing you to act quickly.
- Be aware, fraudsters are currently spoofing legitimate phone numbers and appearing to call from financial institutions. Warn employees to stay extra vigilant by not providing your confidential banking information or login credentials.
If BOK Financial fraud and risk management receives an alert about a compromised client, they will contact the client for details but BOK Financial will never call or text asking about your login credentials, nor ask for your password or security codes.
Learn more about BOK Financial's online security. If you suspect you're a victim of fraud, contact your financial institution immediately. Report suspicious activity on BOK Financial-related accounts to 844-517-3308. The Cybersecurity and Infrastructure Security Agency also keeps an up-to-date list of current threats.
. © 2024 BOKF, NA.